Used car security questioned over former owners' app connections

Manufacturers have no way to disconnect cars' apps from former owners who can track their old cars, a computer security expert has warned

by: Martin Saarinen

21 Feb 2017

Used car buyers can have their cars tracked by former owners who fail to disconnect their smartphones from applications in cars, a computer security researcher has warned.

IBM researcher, Charles Henderson, has called on carmakers to do a better job of protecting new owners after he found he was still connected to his old car after a year of selling it.

Advertisement - Article continues below

Henderson said that even though he deleted all personal details in the car before selling it on, it remained linked with his phone, allowing him to track its details.

He argued that manufacturers have no way to disconnect the car's apps from former owners. “The car is really smart but it’s not smart enough to know who its owner is, so it’s not smart enough to know it’s been re-sold.”

Auto Express previously highlighted similar issues with a number of other owners. A Land Rover Discovery Sport owner who sold his car privately was able to continue accessing the car’s InControl app even though the new owner was now on the other side of the country. He could still find out the car's location, and worryingly whether or not it was locked.

Another second-hand owner contacted Auto Express over saved addresses on his Honda CR-V's sat-nav. They had bought the car from a “famous celebrity’s wife” but were stunned to see all previous sat-nav destinations were stored in the car’s system.

Advertisement - Article continues below

Both Land Rover and the Society of Motor Manufacturers and Traders told Auto Express that while manufacturers are able to remove owners’ details from cars (but not necessarily disconnect them from the apps), it’s the user’s responsibility to remove their old vehicle from their account after selling it.

The news comes after cyber security firm Kaspersky Lab found security issues with seven Android apps for cars. For now the company has not named the apps, but said they lacked the most basic software defences to protect drivers from having their details stolen.

The company said hackers could use any of the seven apps to locate a car, unlock it and even in some instances start the car. Viktor Chebyshev, Kaspersky researcher said: “Why don’t connected car application developers care about security as much as the developers of banking applications? They are also controlling very valuable things for the user, but they’re not thinking about security mechanisms.”